Microsoft released 12 bulletins, five of which were rated as critical, to address 57 vulnerabilities on Patch Tuesday.
Fixing vulnerabilities in Windows, Office, Internet Explorer, Exchange and the .NET Framework, it recommended focusing on MS13-009, MS13-010 and MS13-020 as a priority.
Wolfgang Kandek, CTO of Qualys, said: “The two bulletins affecting IE are the highest priority. One of them, MS13-009, is referred to as the ‘core' IE update by Microsoft because it addresses a number of vulnerabilities directly in IE. It covers 13 bugs with all but one of them being remote code execution vulnerabilities that can be used by an attacker to gain control over a user's machine via drive-by-download. That type of attack is common and is easily accomplished by surreptitiously installing malware.”
Ziv Mador, director of security research at Trustwave, said: “If for some reason you missed the out of band update MS13-008 that was issued a few weeks ago, this update includes patches for the same vulnerability. The thirteen CVEs cover a myriad of issues mostly involving use after free vulnerabilities, which is a fancy way of describing how IE access an item in memory after it has been deleted.
“An attacker could use these vulnerabilities by creating a special web page and then getting people to visit that page either through an emailed link or compromised web site. Thankfully you don't need the problem solving abilities of a rat to protect yourself from these issues, just install the patch.”
Andrew Storms, director of security operations at nCircle, said: “If you only have time to do the absolute minimum, you should patch Internet Explorer and Flash immediately. Both of these remote execution bugs are serious security risks, so patch all of them and patch them fast.
“We received two bulletins that include a total of 14 CVEs affecting all versions of Internet Explorer today. Both bulletins fix ‘drive-by bugs' that only require the victim to browse a website to become infected with malicious code. Maybe the reason the IE bug count is so high this month is because Microsoft's IE security team is determined to beat their bug backlog into submission. I'd hate to think that we should expect this volume of IE CVEs every month in 2013.”
The other Microsoft patch is MS13-010. Ross Barrett, senior manager of security engineering at Rapid7, said: “MS13-010 was indicated as an Internet Explorer patch in the advance notification, but is actually a patch for the VML parser, of which Internet Explorer is just one possible exploit vector.
“The VML issue is particularly dangerous because there is no way to turn off VML parsing in the browser or elsewhere, unlike ActiveX controls, Flash, or hey, even Java - sort of.”
Kandek said: “MS13-010 addresses a vulnerability in an ActiveX Dynamic-Link Library (DLL). It is rated critical and quite urgent to fix because the vulnerability is being exploited in the wild. The bug is in the VML (Vector Markup Language) DLL, the ActiveX control for the largely unused XML-based standard format for two-dimensional Vector graphics. VML has been patched twice before in 2007 and 2011 and it would probably be safest to delete it altogether, but there does not seem to be a way to do this short of disabling all ActiveX processing. Both IE updates, core and VML, should be installed as quickly as possible.”
The other priority patch, which is rated as important MS13-020 is a critical bulletin which only affects installations of Windows XP. Mador said: “This vulnerability only impacts Windows XP3 SP3, that's it. Actually it probably impacts older versions of Windows as well but Microsoft only lists currently supported versions, besides you really shouldn't be running anything older than XP SP3 anyway and even that is questionable. Exploitation requires a specially crafted file and again deals with objects in memory.
“Successful exploitation would result in remote code execution, which of course could allow the attacker to be a complete pig and take complete control of a system. Definitely not something to mess around with. To make things even worse Microsoft expects exploit code to be found in the wild for this vulnerability real soon, so get patching.”